[jira] [Closed] (OFBIZ-4316) Widget $() escapes HTML. StringUtil.wrapString(contentText) throw an error

Sun, 19 Jun 2011 05:02:05 -0700 

     [ 
https://issues.apache.org/jira/browse/OFBIZ-4316?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Scott Gray closed OFBIZ-4316.
-----------------------------

    Resolution: Invalid

The label widget currently doesn't support disabling encoding, it isn't a bug 
but instead just an improvement required.  When you originally asked how to 
prevent encoding I assumed you were referring to within a freemarker template, 
that's why I suggested using StringUtil.wrapString() but it isn't intended or 
supported for use in expandable widget fields.

Also, the forum content should never be rendered unencoded because it opens up 
XSS vulnerabilities by allowing users to post malicious html/js content.

> Widget $() escapes HTML. StringUtil.wrapString(contentText) throw an error
> --------------------------------------------------------------------------
>
>                 Key: OFBIZ-4316
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-4316
>             Project: OFBiz
>          Issue Type: Bug
>          Components: content, framework, specialpurpose/ecommerce
>    Affects Versions: SVN trunk
>            Reporter: BJ Freeman
>              Labels: html, rendering, widget
>             Fix For: SVN trunk
>
>
> from the ForumScreens.xml#ViewForumMessage
> {code}
>                         <container style="forumtext">
>    <label>${contentText}</label>
> {code}
> show escaped html
> {code}
> * Data Source<br /> * Marketing Campaign<br /> * Tracking Affiliate 
> programs<br /> * Segment<br /> * Contact List<br /> * Reports<br /> <a 
> class="postlink" 
> href="https://demo-trunk.ofbiz.apache.org/marketing/control/main"USERNAME=flexadmin&PASSWORD=ofbiz&JavaScriptEnabled=Y";>Demo
>  Marketing</a> 
> {code}
> replacing 
> {code}<label>${contentText}</label>{code}
> with
> {code}${StringUtil.wrapString(contentText).toString()}{code}
> give this error
> 2011-06-15 18:16:43,200 (TP-Processor13) [ UtilXml.java:1043:ERROR]
> XmlFileLoader: File
> file:specialpurpose/ecommerce/widget/ForumScreens.xml
> process error. Line: 151. Error message: cvc-complex-type.2.3: Element
> 'condition' cannot have character [children], because the type's content
> type is element-only.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to